Locating Gmail trac...
 
Notifications
Clear all

Locating Gmail traces

12 Posts
6 Users
0 Likes
1,057 Views
(@stamitz)
Posts: 34
Eminent Member
Topic starter
 

With Encase v. 6 it's possible to search webmail like Hotmail etc. But Gmail is not in the list. Is it possible to search traces of Gmail webmail ? Are there any html strings I can look for (like …gmail?inbox…)

Thanks,

Stamitz

 
Posted : 09/01/2008 4:35 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

With this sort of thing, it's not about the tool used, it's about the examiner.

I've use ProDiscover and its ability to parse the web browser history to find remnants of gmail activity to include attachments that were sent from the system.

 
Posted : 09/01/2008 5:48 pm
(@stamitz)
Posts: 34
Eminent Member
Topic starter
 

Can you tell me if you have found any unique 'strings' with regard to Gmail ? If so, I can use them to search in my image

 
Posted : 09/01/2008 6:21 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Can you tell me if you have found any unique 'strings' with regard to Gmail ? If so, I can use them to search in my image

You mean like "gmail"?

 
Posted : 09/01/2008 6:35 pm
(@stamitz)
Posts: 34
Eminent Member
Topic starter
 

-)

I mean like

gmail?search=inbox&
gmail?search=starred&
gmail?view=cl&search=contacts&

etc. This are old ones (I think) because they don't work … So, if there are any good strings I can use that would be great

 
Posted : 09/01/2008 7:00 pm
(@stamitz)
Posts: 34
Eminent Member
Topic starter
 

Okay, because nobody has replied for two weeks I guess there are no strings to be found and all webmail is cached at server side

Thanks,

Stamitz

 
Posted : 23/01/2008 6:02 pm
(@buster)
Posts: 28
Eminent Member
 

Stamitz

Apologies for not posting sooner but I have been testing this area (in relation to Windows machines) myself and wanted to (mostly) finish before I posted.

Further apologies for the width of this post! I could not trim it down anymore whilst maintaining readability.

The short answer is I have found very few entries relating to artefact's left behind by "gmail" within the usual Windows internet history data although I have found some tidbits that may be of use.

I have been concentrating on the Cookies and Temporary Internet folders, specifically the main "index.dat" file for the latter. I have found that the only information I was able to recover was the "gmail" address used and some connection data from the "index.dat" along with some references to "gmail" from the Cookies folder. Interestingly, the strings "gmail" and "googlemail" produce differing results when used with grep to search the output.

Basically the process I used was to copy the "Cookies" folder and the "Index.dat" file to my linux box. I then used galleta to carve the "Cookies" folder data into a text file and used pasco to conduct a similar exercise on the "index.dat". I then used a variety of grep searches to search the txt files for relevant strings.

Some of the output is shown below

This section shows extracts from the "index.dat"


stu@gutsy~/case_work/testing/temp_internet$ cat index.txt | grep gmail
stu@gutsy~/case_work/testing/temp_internet$ cat index.txt | grep googlemail
URL Visited Stu@https://mail.google.com/mail/?account_id=<username>%40googlemail.com&nsr=1&auth=<very long auth key in plain text&gt;&amp;gausr=&lt;username&gt;%40googlemail.com&amp;&lt;qq&gt;=1e1n3rjvl4bzl Thu Dec 27 150526 2007 Thu Dec 27 150526 2007 URL
URL Visited Stu@http//mail.google.com/mail/?account_id=<username>%40googlemail.com&<qq>=1e1n3rjvl4bzl Thu Dec 27 165333 2007 Thu Dec 27 165333 2007 URL
stu@gutsy~/case_work/testing/temp_internet$ cat index.txt | grep &lt;username&gt;
URL Visited Stu@http//picasaweb.google.com/<username>/<blog title&gt;?authkey=***** Thu Dec 27 165301 2007 Thu Dec 27 165301 2007 URL
URL Visited Stu@http//k&hl=en_US">picasaweb.google.com/data/feed/base/user/<username>/albumid/5130838866650960145?kind=photo&alt=rss&authkey=
*******k&hl=en_US Thu Dec 27 165245 2007 Thu Dec 27 165245 2007 URL
URL Visited Stu@https://mail.google.com/mail/?account_id=<username>1%40googlemail.com&nsr=1&auth=<very long auth key in plain text&gt;=&lt;username&gt;%40googlemail.com&amp;&lt;qq&gt;=1e1n3rjvl4bzl Thu Dec 27 150526 2007 Thu Dec 27 150526 2007 URL
URL Visited Stu@http//mail.google.com/mail/?account_id=<username>%40googlemail.com&<qq>=1e1n3rjvl4bzl Thu Dec 27 165333 2007 Thu Dec 27 165333 2007 URL

I have sanitized the data so <username> represents the first part of the email address, <blog title> represents the blog name associated with the gmail account an <very long auth key> replaces a plain text, apparently random generated strings of numbers and letters. You can see that the grep string gmail revealed no hits whilst googlemail produced the rest.


googlemail.com&amp;&lt;qq&gt;=1e1n3rjvl4bzl

This entry is interesting, it appears to be the first two letters of the account password in plain text (sanitized to qq) followed by the rest under some sort of encryption.

These entries are from the Cookies output.


stu@gutsy~/case_work/testing/cookies$ cat galleta_output | grep googlemail

mail.google.com/mail gmailchat &lt;username&gt;@googlemail.com/676823 10/10/2007 120107 10/03/2012 120107 1600

&lt;#&gt;www.google.com/accounts GAUSR mail&lt;username&gt;@googlemail.com 01/21/2008 112215 01/18/2018 112212 1537

stu@gutsy~/case_work/testing/cookies$ cat galleta_output | grep gmail
mail.google.com/mail gmailchat &lt;username&gt;@googlemail.com/676823 10/10/2007 120107 10/03/2012 120107 1600

I still have a bit more work to do on these, and other Windows files concerning gmail but I hope this helps you a little.

I will be writing up both the full process used (including some (very) basic bash and perl scripts that I wrote to automate some this) and the results obtained on my blog before too much longer.

Buster

 
Posted : 24/01/2008 2:02 pm
(@stamitz)
Posts: 34
Eminent Member
Topic starter
 

Buster, thanks for sharing this information with me. You have inspired me to

install pasco and galleta under cygwin
copy cookies and index.dat files with FTK Imager
search with grep

Stamitz

 
Posted : 24/01/2008 5:28 pm
(@johnmccash)
Posts: 7
Active Member
 

I've been doing an analysis of a case in which gmail content has been important. I'm finding large numbers of old copies of a file named 'mail' in the lost files area. I believe that gmail uses this file as a temporary area to store incoming JSON datapacks, which are subsequently processed and displayed on the screen. Some of these datapack files contain message body text with encoded HTML, and others contain thread summaries with subjects and snippets of the referenced messages. However I can't find anything that will decode and display them in any sort of 'nice' format. I've been able to manually reconstruct some of the HTML message bodies by converting hex excoded '<', '>', '=', and '&' characters back to their ASCII equivalents, but does anyone know of some software that will take these datapack files and automatically parse out all of the data in a readable format?

 
Posted : 28/03/2008 3:37 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

install pasco and galleta under cygwin

Why not just run them from Windows? The EXE comes with cygwin1.dll (no need to install cygwin), and you can always look at using WebHistorian from Mandiant….

 
Posted : 28/03/2008 4:05 pm
Page 1 / 2
Share: